Presenting a live 90-minute webinar with interactive Q&A HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When Responding to Subpoenas and Discovery Requests THURS DAY, OCTOBER 16, 2014 1pm East ern | 12pm Cent ral | 11am Mount ain | 10am Pacific Today’s faculty features: Nathan A. Kottkamp, Partner, McGuireWood s, Richmond, Va. Philip H. Lebowitz, Partner, Duane Morris , Philadelphia The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .
Tips for Optimal Quality FOR LIVE EVENT ONLY S ound Qualit y If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-927-5568 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@ straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Qualit y To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: • In the chat box, type (1) your company name and (2) the number of attendees at your location • Click the S END button beside the box If you have purchased S trafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). Y ou may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: • Click on the ^ symbol next to “ Conference Materials” in the middle of the left - hand column on your screen. • Click on the tab labeled “ Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. • Print the slides by clicking on the printer icon.
HIPAA Compliance During Litigation and Discovery Thursday, October 16, 2014 1 – 2:30 p.m. (ET) | Noon – 1: 30 p.m. (CT) | 10 – 11:30 a.m. (PT) Presented by: Nathan A. Kottkamp, McGuireWoods LLP nkottkamp@mcguirewoods.com Philip H. Lebowitz, Duane Morris LLP Lebowitz@duanemorris.com
Health Insurance Portability and Accountability Act of 1996 ( “ HIPAA ” ) 6
What Kind of Information is Protected? Protected Health Information (PHI) is any information, including genetic information, whether oral or recorded in any form or medium, that: • Is created or received by a health care provider, health plan, or health care clearinghouse; and • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 7
Omnibus Final Rule • On January 17, 2013, HHS released the Omnibus Final Rule (“Final Rule”) interpreting and implementing provisions of the HITECH Act • Effective date: March 26, 2013 • Compliance date: September 23, 2013 • Revision date for certain existing business associate agreements: September 22, 2014 8
Core Elements of HIPAA—Unchanged • The Privacy Rule – establishes individuals’ privacy rights and addresses the use and disclosure of protected health information (“PHI”) by covered entities and business associates • The Security Rule – establishes requirements for protecting electronic PHI • The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI • The Enforcement Rule – establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA 9
Key Changes to HIPAA Under Omnibus Final Rule • Breach “risk of harm” standard replaced with more objective test • Definition of “business associate” expanded to include entities that maintain or store PHI even if they do not view the PHI • Subcontractors of business associates that use or disclose PHI are directly subject to HIPAA (regardless of if there is a BAA) • Expansion of liability of business associates (and subcontractors, as applicable) under the Privacy Rule and the Security Rule • Individuals have a right to obtain electronic copies of PHI upon request if the PHI is maintained electronically • Individuals may restrict disclosures regarding treatment paid out-of-pocket, in full • Notices of Privacy Practices must include additional information • Easing of rules for PHI with respect to research, fundraising, and decedents • Tightening of rules for marketing and sale of PHI • GINA (Genetic Information Non-Disclosure Act of 2008) incorporated • Enforcement rule expanded 10
What’s Next? • MORE, MORE, MORE – Education – Policies – Monitoring – Documentation – Scrutiny – Enforcement 11
Primary Methods of Obtaining Medical Records Pursuant to HIPAA • Patient request – 45 C.F.R. 164.502(a)(1)(i) – 45 C.F.R. 164.524 • Patient authorization of third party – 45 C.F.R. 164.502(a)(1)(iv) – 45 C.F.R. 164.508 • Subpoena or other discovery order • Court or administrative order Reminder: In all cases, must follow the more restrictive of HIPAA or applicable state law. 12
Patient Request for Medical Records • Patients have the right to request copies of most medical records, whether in paper or electronic form • Requestor must be patient, patient’s parent or guardian, or caregiver (with patient’s permission) • Request must be made in writing • Providers required to keep HIPAA records for six years (state law may require longer) • In limited cases the provider may refuse the request ( e.g. , mentally ill patient at risk of self-harm) • Potential more rigorous accounting of disclosures may be requested in future 13
Cignet Health of Prince George ’ s County 14
Cignet Health of Prince George ’ s County, MD- Landmark HIPAA Civil Monetary Penalty, February 4, 2011 • The first-ever civil money penalty of $4.3 million Cignet violated 41 patients ’ rights by denying them access to • their medical records when requested between September 2008 and October 2009. – The HIPAA Privacy Rule requires that a Covered Entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient ’ s request. – The CMP for these violations is $1.3 million. Cignet failed to cooperate with OCR ’ s investigations of the • complaints and produce the records in response to OCR ’ s subpoena. – Covered Entities are required under law to cooperate with the Department ’ s investigations. – The CMP for these violations is $3 million. 15
HIPAA and Litigation • HIPAA permits disclosure for judicial or administrative proceedings • In response to – A court order or order of an administrative tribunal – “ a subpoena, discovery request, or other lawful process” • Without court order, provider must receive “satisfactory assurance” that “reasonable efforts” have been made to – “ensure” that the affected patient has been given notice; or – Secure a “qualified protective order” • Provider may disclose without court order by itself making reasonable efforts to provide notice to patient Citation: 45 C.F.R. 164.512(e) (“Disclosures for Judicial and Administrative Proceedings”) 16
When patient is a party • Patient is plaintiff and requests own records • Patient and provider both parties – Patient has placed medical condition in question – waiver – Still may need and can obtain authorization for provider to use records 17
Patient is a party but provider is not • Opposing party seeks patient’s medical records from non-party provider – Typically through subpoena – Provider should insist on patient authorization – If not, inform patient of subpoena and obligation to produce records if subpoena not quashed – Move to quash subpoena 18
HIPAA Authorization • Describe information to be disclosed • Who authorized to disclose • Who authorized to receive • Purpose of disclosure • Expiration date or event • Signed and dated by patient • Must include statement re right to revoke, potential for disclosure by recipient 19
Statements Required for Effective Authorization The patient must affirm knowledge of: • The right to revoke the authorization • No conditioning of care, payment, or coverage on the authorization • The potential for redisclosure Citation: 45 C.F.R. 164.508(c)(2) 20
Recommend
More recommend
